VPN monitoring

So what is the identifying metric for when a tunnel goes down?

Alert me when   A  is   B 

What is the A and B here?

Once we have that it will be easier to assist you.

Couple of questions/assumptions -

djb232 wrote: I can pull the peer ip's with cikeTunRemoteValue and I can verify tunnels are going down with crasL2LNumSessions

Based on your explanation, I would assume:

A = crasL2LNumSessions

B = 0 (zero)

However, looking at your examples in the pictures, I might assume:

Alert me when (cikeTunRemoteValue is empty) AND (crasL2LNumSessions = 0)

Is the cikeTunStatus poller needed here? What is the significance of that in this situation?

-ZackM

Loop1 Systems: SolarWinds Training and Professional Services

• LinkedIN: Loop1 Systems
• Facebook: Loop1 Systems
• Twitter: @Loop1Systems

Above the blacked out node name is the node I have setup to an ASA whose tunnels I am trying to monitor. Below that the blacked out Value I specified is the IP of the remote peer whose status I am trying to track. So I was trying to say: On this node, with these remote VPN tunnel IP's (cikeTunRemoteValue), alert me when the does not contain the peer IP I am interested in.

CrasL2LNumSessions tells how many site to site VPN I have at the moment- in my case 10. Another way I had tried to setup the alert was by trying to say: Alert me when (cikeTunRemoteValue is remote peer IP) AND (cikeTunStatus is not 1)

I really am not sure what is needed or the easiest way to accomplish my alert. I'm completely new. I can see the Value for cikeTunRemoteValue contain a list of the VPN remote peer ip's. I am interested in being alerted when one of those VPN tunnels go down (is no longer listed by cikeTunRemoteValue). Thank you for responding.

So, without seeing the values being returned by your pollers, I am looking specifically at the alert logic right now.

This is a replica of your situation, just using a different tabular poller:

Now, when we look at the raw SQL syntax behind this alert, we can test and get the following error:

Basically, what we are seeing here is a problem on line 12. The 'UniqueID' field is stored as a varchar data type in the CustomPollerStatusTable view that we are referencing, so we cannot use mathematical operations here. (You cannot have a mix of letters and numbers greater than an integer, in this case 0).

To verify, we can comment out this portion of the query, and we get the following results:

To verify if this is the same issue you are experiencing, in the Advanced Alert Manager, you can define your alert, then change the type of property to 'Custom SQL Alert' for 'Custom Node Table Poller' and click the "Verify SQL" button:

If you see the same type of error as this, then try and comment out the last section as below (notice that I moved the 'AND' down a line to ensure that it was commented out as well):

If this works, as seen above, then your final alert will need to be a Custom SQL Alert like this and this should be the syntax you use:

WHERE 
(
  (Nodes.Caption = '<INSERT NODE NAME HERE>') AND
  (CustomPollers.UniqueName = 'cikeTunRemoteValue') AND
  (
  NOT (CustomPollerStatusTable."Value" = '<INSERT PEER IP HERE>')
  )
)

If this is indeed the case, I would open a ticket with SolarWinds as this might be a bug in the software. Hopefully this is not seen in NPM 11.5 with the new web engine for alerts. I don't currently have a RC installed to test the theory on unfortunately.

Maybe aLTeReGo or rob.hock  can get some visibility on this internally?

Good luck! Please let us know what you find out!

-ZackM

Loop1 Systems: SolarWinds Training and Professional Services

• LinkedIN: Loop1 Systems
• Facebook: Loop1 Systems
• Twitter: @Loop1Systems

I've tried using SolarWinds to monitor IPSEC tunnels on our ASAs without any success, and I've fidgeted with those "cikeTunRemote" UnDP's but never got anything useful out of them. What I've ended up doing is adding two nodes for each firewall, one for both the inside and outside interface IP addresses. Obviously if the outside is up but the inside is down, there's potentially a problem with your tunnel (or the switch it might be connected to).

If someone has found a method to poll an ASA for bandwidth & status information about its VPN tunnels, PLEASE LET US KNOW.

Zackm, you were right about the error I was getting and when I plugged in the syntax you suggested the SQL was then validated, however I still did not receive the alert I was hoping for. After contacting Solarwinds they said they are not sure the results I am looking for can be achieved with cikeTunRemoteStatus because the row I am alerting on is 'disappeared'.

Their suggestion was to create a trap or syslog from the ASA for the tunnel going down and alert based on that. I am now trying to set a trap with

snmp-server enable traps ipsec tunnel stop, however for some reason my snmp server isn't getting the trap (even in a packet capture) when a test tunnel is brought down on the ASA.

The first thing I would do is enable some more traps to see if the issue is with sending the traps or receiving them. In other words, if you can receive any traps from your router, then you have confirmed communication across UDP Port 162 (default). Once you have confirmed this, then you can try and narrow down a potential configuration issue on the router itself. The reason for enabling more traps is just to make sure that you have some good data to work with.

I'm sure you have some references already, but just in case: https://supportforums.cisco.com/document/11376/how-can-i-monitor-vpn-tunnel-status-through-snmp

Good luck! Please let me know how it works out!